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Amendments to the Claims 



1 Claim I (currently amended): A computer program product for enabling a subsequent user sign- 

2 on during a certificate-based host access session, said computer program product embodied on a 

3 computer-readable medium and comprising; 

4 computer-readable program code means for processing a first sign-on during a secure 

5 session using a digital certificate, further comprising: 

6 computer-readable program code means for establishing said secure session from a 

7 client machine to a server machine using said digital certificate, wherein said digital certificate 

8 represents an identity of said client machine or a user thereof; 

9 computer-readable program code means for storing said digital certificate or a 
C| 10 reference thereto at said server machine; 

1 1 computer-readable program code means for establishing a session from said server 

12 machine to a host system using a legacy host communication protoco l responsive to receiving, at 

13 said server machine* a first sign-on request from said cHent m acbme 1 wherein said first sign-on 

14 request ide ntifies a first secure legacy host application to which said first sign-on is requested : 

1 5 computer-readable program code means for passing said stored digital certificate 

16 or said reference from said server machine to a host access security system; 

1 7 computer-readable program code means, operable in said host access security 

1 8 system, for authenticating said identity using said passed digital certificate or a retrieved 

1 9 certificate which is retrieved using said reference; 

2 0 computer-readable program code mean s, operable in said host access security 

2 1 system for using said passed or retrieved digital certificate to locate access credentials for said 
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22 user, 

2 3 computer-readable program code means, operable in said.hostjBi^ 

2 4 system, for accessing a stored password or generating a password substitute representing said 

2 5 located credentials; 

26 computer-readable program code means, operable in said host access security 

27 a^emjforj^^ or generated password substitute to said server 

28 machine, along with a first user identifier corresponding to saM located credentials: and 

2 9 computer-readable program code means, operable in said server machine, for using 

3 0 said returned st o red password or said g ener a ted password substitute and said returned first user 

3 1 identifier to transparently complete said first sign-o n on behalf of said user of said client machine, 

32 to [[a]] sajd_first secure legacy host application executing at said host system; and 

3 3 computer-readable program code means for processing a subsequent sign-on of said user 

3 4 during said secure session using said digital certificate, wherein said subsequen t sign-w i r equ est s 

35 access to said secure legacy h o s t applicati o n o r a diffe r ent legacy hos t application, further 

3 6 comprising; 

3 7 computer-readable program code means for receiving a subsequent sign-on 

38 request at said server machine from said client machine, wherein: (I) said subsequent sign-on 

39 request ide ntifies a second secure legacy host application to which said subsequent sign-on is 

40 requested: (2) said subsequent sign-on requires authenticating a requester of said subsequent sign- 

41 an rtquiiiiiR said identity. (3) said second secure legacy host application may be identical to said 

42 first secure legacy host application: an d (4) said requester of said subsequent sign-on is said user! 

4 3 computer-readable program code mean s, operable at said server rqachme^ for 
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4 4 retrieving said stored digital certificate or reference; 

4 5 computer-readable program code means for passing said retrieved digital 

4 6 certificate or reference from said server machine to said host access security system; 
4 7 computer-readable program code means, operable in said host access security 

4 8 system, for re-authenticating said identity of said user, thereby authenticating said requester, using 

4 9 said passed retrieved digital certificate or retrieved reference; 

5 0 computer-readable program code means, operable in said host access security 
5 1 system, for using said passed retrieved digital certificate or retrieved reference to again re-locate 
5 2 said access credentials for said user; 

^53 computer-readable program code mean s, operable in said host access security 

5 4 system, for re-accessing said stored password or generating a new password substitute 

5 5 representing said re-located credentials; 

56 computer-readable program code means, operable in said host access security 

57 system, for returning said re-acce ssed stored password or generated new password substitute to 

58 said server machine, a long with said user identifier corresponding to said re-located credentials: 

59 and 

6 0 computer-readable program code means , operable in said server machine, for using 

6 1 said returned re-accessed stored password or [[said]] new password substitute and said returned 

62 user identifier corresponding to sai d re-located credentials to transparently complete said 

63 subsequent sign-on on befrilf qf ^ id requester, to said second secure legacy host application 
6 4 executing at said host syste m o r said d ifferen t legacy host applica tion. 

Semi No. 09/619,205 -9- Docket RSW9-20O0-0O35-US1 
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1 Claim 2 (currently amended): The computer program product as claimed tn Claim 1 , wherein said 

2 digital certificate [[is an]] and said second digital certificate are X.509 ce rt ifi c at e certificates and 

3 said digital certificate reference is a reference to an X.509 certificate, 

1 Claim 3 (original): The computer program product as claimed in Claim 1, wherein said 

2 communication protocol is a 3270 emulation protocol. 

1 Claim 4 (original): The computer program product as claimed in Claim U wherein said 

2 communication protocol is a 5250 emulation protocol. 

11/ 1 Claim 5 (original): The computer program product as claimed in Claim 1 , wherein said 

2 communication protocol is a Virtual Terminal protocol 

1 Claim 6 (original): The computer program product as claimed in Claim 3, wherein said host 

2 access security system is a Resource Access Control Facility (RACF) system. 

1 Claim 7 (original): The computer program product as claimed in Claim 1 , wherein said server 

2 machine is a Web application server machine. 

1 Claim 8 (currently amended): The computer program product as claimed in Claim 1, wherein: 

2 said computer-readable program co de means for processing said first sign-on farther 

3 eompi'i&iiia comprises: 

Serial No. 09/619,205 -10- Docket RSW9-2O00-G035-US1 

PAGE 12/39 ft RCVD AT S/10/20M 4:18:46 PM [Eastern Daylight Time] * SVR:USPT0-EFXRF>1i5 8 DN1S:87 29306 K CSID:4073437587 ^ DURATION (mm^s):10-08 



05/11/2094 04:18 4873437587 FAX PAGE 13 



4 computer-readable progr am code means for requesting by said first secure legacy 

5 host application, responsive to said computer-readable program code means for establishing said 

6 session, first sign-on information for said user; and 

7 computer-readable program code means for responding to said request for first 

8 sign-on information by sending a first sign-on message with placeholders from said client machine 

9 to said server machine, said placeholders representing a user identification and a password of said 

10 usen and 

11 said computer-readable program code means for using said returned password or • 

12 password substitute and said returned first user identifier to transparently complete said first sign- 
^\ 13 on further comprises: 

1 4 computer-readable program code means for substituting [[a]] said returned user 

15 identifier ass o cia t ed wi t h said loca t ed access cr e d e n tials and said returned stored password or said 

1 6 g e ne r at e d password substitute for said placeholders tot said first sign-on messag e, thereby creating 

17 a revised first sjgn-oaroessage; and 

18 computer-readable program code for forwarding said revised first si gn-on 

19 message from said server machine to said first secure legacyJxost application. 

20 luuiputif r cjdablc piogiam unte m eans fo r requesting, by said legacy hos t ap p lication, 

21 subsequ e nt sign-un info r ma tio n for said u&ei, 

22 e o mpu ter» rca d ablc pr o gram code means for r e sp o nding to said reques t foi aubaiqiumt 

23 sign-on informat io n by sen di ng a aibsequmi aigipuu message w i th p lacdwlders fro m said dierct 
2 4 machine t o said serv e i machine, said placeh o lders repres e n ti ng said user i dcjuOfiuUi o n and said 
25 passwoid o f said user; an d 
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26 uuupul e r-readabte p r o gram code means fo r substi t uting said use* identifi er ass o ciated 

27 wit h s aid ictotat e d access c re den t ial s and said r e-accessed s tor ed passw or d or said new 

28 passw or d subs t i t u t e for said placeholders in said subsequent signal-message. 

1 Claim 9 (currently amended): The computer program product as claimed in Claim 7, wherein: 

2 said computer-readable program code means for using said returned password or 

3 password substitute and said returned first user identifier to transparently complete said first sien- 

4 on further comprising comprises : 

5 con^uter-readable urogram code means for requesting by said first secure legacy 

\ 

6 host application, responsive to said computer-readable program code means for establishing said 

7 session* first sign-on information for said user; and 

8 computer-readable program code means for responding to said request for first 

9 sign-on information by supplying from gaiH server machine to said first securejegaey host 

10 a pplication, [[a]) said returned user identifier associated w i th said locat e d access ciedeiiiiah and 

11 said returned stored password or said generated password substitute at said server machiu er 

12 c o mputer-readable program cod e m eans fo r requesting, by said legacy h o s t ap p licati o n, 

13 subsequent sign - on informati o n for said uscr^-md 

14 computer-readable pr o g r am code m eans for- rcsp o nding to s aid r e quest for subsequen t 

15 sigi^oJ i mfemaltou by sup p lying said user ideniifiu assoc i a t ed w i th said reloca t ed acce ss 

16 credentials and said r e-accessed st o red passw o rd or said new pas s word substi t ute at said s e rver 

17 machine . 



Serial No. 09/619,205 - 1 2* Docket RS W9-2000-0035-US1 



PAGE 1 4/39 1 RCVD AT 5/1 0/2004 4:18:46 PM [Eastern^ 



05/11/2084 04:18 407343W87 



FAX 



PAGE 



1 Claim 10 (currently amended): A system for enabling a subsequent user sign-on during a 

2 certificate- based host access session, comprising: 

3 means for processing a first sign-on during a secure session using a digital certificate, 

4 further comprising: 

5 means for establishing said secure session from a client machine to a server 

6 machine using said digital certificate, wherein said digital certificate represents an identity of said 

7 client macbdne or a user thereof, 

8 means for storing said digital certificate or a reference thereto at said server 

9 machine; 

<^ 10 means for establishing a session from said server machine to a host system using a 

0^ 1 1 legacy host communication protocol responsive to receiy inp^ at said se rver machine, a first sign- 

12 on request from said client machine, wherein said first sign-on request identifies a first secure 

13 legacy host application to which said first sign-on is requested : 

1 4 means for passing said stored digital certificate or said reference from said server 

15 machine to a host access security system; 

1 6 means, operable in said host access security system, for authenticating said identity 
1 1 using said passed digital certificate or a retrieved certificate which is retrieved using said 

18 reference; 

19 means, operable in sai d host access security system, for using said passed nr 
2 0 retrieved digital certificate to locate access credentials for said user; • 

21 means^i^erable in sai d host access security system for accessing a *t™rt>A 

2 2 password or generating a password substitute representing said located credentials; 
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23 means, operable in said host access security system, for return ing said stored password or 

24 generated password substitute to said server machine, along with a first user identifier 

25 coirespon^ inp r to said located credentials: and 

2 6 mean s, operable in sai d server machine, for using said returned stored password or 

2 7 sa id g e ner ated password substitute and said returned firstuser identifier to transparently complete 

2 8 said first sign-on . on behalf of said user of said client machine, to [[a]] said first secure legacy host 

2 9 application executing at said host system; and 

30 means for processing a subsequent sign-on of said user during said secure session using 

3 1 said digital certificate, w h e i c in said subsequen t sigi^ o n re quests access t o said secure legacy host 

32 app feat io u t tu a diff e r e nt legacy hos t applica t ion, further comprising: 

[33 means for receiving a subsequent sign-on request ., at said_sgrcerjnachine^ 

34 client .machine, wherein: fl > said subsequent sign-on request identifies a second secure legacy 

35 host application to_ y^kfo^aidjguhs^^ said subsequent sign-on 

3 6 requires authenticating a requester of said subsequent sign-on requiring sa i d iden t i t y ; (J) said 

37 second secure legacy host application may be identical to said first secure legacy host application: 

38 and (4) said requester of said subsequent <ri p ti -on is said user: 

3 9 mean s, operable at said server machine, for retrieving said stored digital certificate 

40 or reference; 

4 1 means for passing said retrieved digital certificate or reference from said server 

4 2 machine to said host access security system; 

4 3 means, operable in said host access security system, for re-authenticating said 

44 identity of said user, thereby authenticating said requester, using said passed retrieved digital 
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4 5 certificate or retrieved reference; 

4 6 means, operable in said host access security system, for using said passed retrieved 

4 7 digital certificate or retrieved reference to again re-locate said access credentials for said user; 
4 8 mean s, operable in said host access security system, for re-accessing said stored 

4 9 password or generating a new password substitute representing said re-located credentials; 

50 means* operable in said host access security system, for returning said re-accessed 

51 stored password or generated new password substitute to said server machine?, along with said 

52 user identifier corresponding to said re-located credentials: and 

5 3 mean s, operable in said server machine, for using said returned re-accessed s to red 
^54 password or [[said]] new password substitute and said returned user identifier corresponding to 

5 5 said re-located credentials to transparently complete said subsequent sign-on . on behalf of said 

5 6 requester, to said second secure legacy host application executing at said host syst em o r said 

57 different legacy h o st application. 

1 Claim 1 1 (currently amended): The system as claimed in Claim 1 0, wherein said digital certificate 

2 [[is an]] and said second dimtal certificate are X.509 certifica t e certificates and said digital 

3 certificate reference is a reference to an X.509 certificate. 

1 Claim 12 (original): The system as claimed in Claim 10, wherein said communication protocol is 

2 a 3270 emulation protocol. 

1 Claim 13 (original): The system as claimed in Claim 12, wherein said host access security system 
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2 is a Resource Access Control Facility (RACF) system. 

1 Claim 14 (ordinal): The system as claimed in Claim 10, wherein said server machine is a Web 

2 application server machine. 

1 Claim 15 (currently amended): The system as claimed in Claim 10. wherein: 

2 said means for process w ff M»d firs t sign-on farther comprising comprises : 

3 means for requesting by said first secure legacy host application, responsive to said 

4 means for establishing said session, first sign-on information for said user, and 

5 means for responding to said request for first sign-on information by sending a 

Qj 6 first sign-on message with placeholders from said client machine to said server machine, said 

7 placeholders representing a user identification and a password of said user; and 

8 said means far ngmp said returned password or password substitute and said returned first 

9 user identifier to transparently complete said first sign-on further comprises: 

1 0 means for substituting [[a]] said returned user identifier associa t ed with said 

11 l o ca t ed access credentials and said returned stored password or aaid genu dtid password 

12 substitute for said placeholders in said first sign-on messag e, thereby creatinj^ajevised first sign- 

13 on message : and 

14 means for forwarding said revised first sign-on message from said server machine 

15 to said first secure legacy host application. 

16 means for reque s ting, by said lega c y h o s t application, subsequent axgn - on information foi 

17 sa id use r ; 
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18 means fo r responding^ said re quest for subsequent sign-on infuiujatlun by send i ng a 

19 subseque n t sign"on message w i th placehold er s fro m said clien t machine to said se r ve r machine, 

20 said placeh o lders r epr e senting said user identification and sai d passw ord o f said user; and 

21 means fo r substituting said user id e ntifi er associat e d w i th said re-l o ca t ed access creden t ials 

22 and said r e « acccsscd st or ed passw o rd or said new passwo r d substi t u t e far said placeh o lde r s in 

23 s aid subsequent sig o r o n me s sage. 

1 Claim 16 (currently amended): The system as claimed in Claim 14. wherein: 

2 said means for using said returned password or password substitute and said returned first 

3 usgT ^e"tifrer fry transparently complete said first sign-on further compris i ng comprises : 

4 means for requesting by said first secure legacy host application, responsive to said 



5 means for establishing said session, first sign-on information for said user; and 

6 means for responding to said request fox first sign-on information by supplying* 

7 from said sen^tr^hine to said first secure legacy host application- [[a]] said returned user 

8 identifier associat e d with said l o cated access c r edentials and said returned sto r ed password or said 

9 gen e rat e d password substitute a t said s er ve r machine; 

10 means for requesting, by said legacy host ap p l i cati o n, subsequen t sign -o n mfo n nation for 

11 said user; a nd 

12 — mea n s forT esp o nding to said request fo r subs e quen t si gr p o n info r ma t ion by supplying said 

13 user identifie r associated w i th said re-located access credentials and said re^accessed stored 

14 passw or d or sa i d net ? p assw or d substitute at said seiv er machine . 
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1 Claim 17 (currently amended): A method for enabling a subsequent user sign-on during a 

2 certificate-based host access session, comprising the steps of: 

3 processing a first sign-on during a secure session using a digital certificate, further 

4 comprising the steps of: 

5 establishing said secure session from a client machine to a server machine using 

6 said digital certificate, wherein said digital certificate represents an identity of said client machine 

7 or a user thereof; 

8 storing said digital certificate or a reference thereto at said server machine; 

9 establishing a session from said server machine to a host system using a legacy 

10 host communication protocol, responsive to receiving, at said server machine, a first sign-on 

11 request from said client machine, wherein said first sign-on request identifies a first secure legacy 



12 taatWfflfi^ 

13 passing said stored digital certificate or said reference from said server machine to 

14 a host access security system; 

1 5 authenticating, by said host access security system, said identity using said passed 

1 6 digital certificate or a retrieved certificate which is retrieved using said reference; 

1 7 usi ng, bv said host access security system, said passed or retrieved digital 

1 8 certificate to locate access credentials for said user; 

1 9 accessin g Jy said host access security system, a stored password or generating a 
. 2 0 password substitute representing said located credentials; 

21 returning^ by said host access security system, said stored password or generated 

22 password substitute to said server machine along with a first user identifier corre s po nding tn said 
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23 located credentials: and 

24 usi n fl, by said server machine, said returned stored password or arid gen& r jifgi* 

2 5 password substitute and said returned first user identifier to transparently complete said first sign- 

2 6 o n, on behalf of said user of said client machine, to [[a]] said first secure legacy host application 

2 7 executing at said host system; and 

2 8 processing a subsequent sign-on of said user during said secure session using said digital 

29 <rertificate, wherein said subs e quent sign-on requests acocss to said secure legacy h o st application 

30 or a differen t le g acy h o s t applicati on; further comprising the steps of? 

3 1 receiving a subsequent sign-on reques t at said server machine from said client 

32 machine, wherein: fllsaid subsequent sign-on request identifies a second secure legacy host 

33 application to which said subsequent sign-on is requested: (2) said subsequent sien-on requires 

34 authenticating a requester of said subsequent sign-on requiring said identi t y: G> said second 

35 secure legacy host application may be identical to said first secure legacy hostapplication: and (4) 

36 said requester of said subsequent sign~on is said user: 

3 7 retrieving Jyy said server machine, said stored digital certificate or reference; 

3 8 passing said retrieved digital certificate or reference from said server machine to 

3 9 said host access security system; 

4 0 re-authenticating, by said host access security system, said identity of said user. 

4 1 thereby aut henticating said requester, using said passed retrieved digital certificate or retrieved 

42 reference; 

4 3 using, by said host access security system, said passed retrieved digital certificate 



44 or retrieved reference to again re-locate said access credentials for said user; 
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45 re-accessing, bv said host access security system, said stored password or 

4 6 generating a new password substitute representing said re-located credentials; 

47 returning, by said host access security system, said re-accessed stored password or 

48 generated n ew password substitute to said serve r machm^ atone with said user identifier 

49 ^rrpgpnmKn fl to said re-located credentials: and 

5 0 using, bv said server machine, said returned re-accessed stored password or 

51 [[said]] new password substitute and said returned usertdentifier corresponding to said re-located 

52 credentials to transparently complete said subsequent sign-ot y on behalf of said requester, to said 

53 second secure legacy host application executing at said host system o r said d iff er e n t legacy host 

54 applicati o n . 

1 Claim 18 (currently amended): The method as claimed in Claim 1 7, wherein said digital 

2 certificate [[is an J) and said second digital certificate are X.509 certificate certificates and said 

3 digital certificate reference is a reference to an X.509 certificate* 



1 Claim 19 (original): The method as claimed in Claim 17, wherein said communication protocol is 

2 a 3270 emulation protocol 

1 Claim 20 (original): The method as claimed in Claim 19, wherein said host access security system 

2 is a Resource Access Control Facility (RACF) system. 

1 Claim 21 (original): The method as claimed in Claim 17, wherein said server machine is a Web 
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2 application server machine. 

1 Claim 22 (currently amended): The method as claimed in Claim 17, wherein: 

2 said step of pr^^np; said first sign-on farther conipt ' lsuig comprises the steps of: 

3 requesting by said first secure legacy host application, responsive to said step of 

4 establishing said session, first sign-on information for said user; and 

5 responding to said request for first sign-on information by sending a first sign-on 

6 message with placeholders from said client machine to said server machine, said placeholders 

7 representing a user identification and a password of said user; and 

8 said step of using said returned password or password substitute and said returned first 
* 9 user identifier to transparently complete said first sign-on further comprises the steps o£ 



1 0 substituting [[a] J said returned user identifier ass o ciated with said l o cated access 

11 c r edentials and said returned store d password or said generated password substitute for said 

1 2 placeholders in said first sign-on messag e, thereby creating a re vised first sign-on message: and 

13 forwarding said revised first sign-on message from said server machine to said first 

14 SACureJegacv host application. 

15 requesting, by said legaey host ap p lication, subsequent sign -o n info r mation foi said us e r; 

16 responding to said request fo r subsequent sign- o n information by sending a subse quent 

17 sign -o n message with placeholde r s fro m said client maUiinc to said server mae1u»e, -*aid 

18 p laceh o lders representing said user id e ntiOcatiua <md said passw ord o f said us e r; and 

19 substituting !^id use r identifier associated w i th said relocated access credentials, and said 

20 rc»acccs5cd s tor ed passw or d o r said new password substi t ut e foi said placehold er s in sai d 
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21 subsequent sign-on message. 

1 Claim 23 (cairrently amended): The method as claimed in Claim 21, wherein: 

2 said step of using said returned password or password substitute and said returned first 

3 user identifier to transparently complete said first sig n-on further comprising comprises the steps 

4 of 

5 requesting by said first secure legacy host application, responsive to said step of 

6 establishing said session, first sign-on information for said user; and 

7 responding to said request for first sign-on information by supplyin g, from said 

^ 8 server machine to said first secure legacy host application. Kali said returned user identifier 

9 associa t ed w it h said located access c r edentials and said returned s to red password or said 

1 0 genera t ed password substitute a t said se r ver irachi ne?- 

11 r eques t ing, by said legaey h o st application, subsequen t sigi*"on infoimaliwi for said user; 

12 and 

13 r espo n d in g to said r eques t fi n subsequent s ign-o u t infuuiia t i o n by supplying said usu 

14 ide nt ifier assoc i ated w i th said re-located access c r ede n tials and said re^aece&sed s to red password 

15 o r said n e w passw o rd subs t itute a t said server inacliiac . 

1 Claim 24 (new): The computer program product as claimed in Claim I , wherein: 

2 said computer-readable program code means for processing said subsequent sign-on 

3 further comprises: 

4 computer-readable program code means for requesting, by said second secure 
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5 legacy host application, subsequent sign-on information for said requester, and 

6 computer-readable program code means for responding to said request for 

7 subsequent sign-on information by sending a subsequent sign-on message with placeholders from 

8 said client machine to said server machine, said placeholders representing said user identification 

9 and said password of said user; and 

1 0 said coinputer-readable program code means for using said returned re-accessed password 

11 or new password substitute and said returned user identifier corresponding to said re-located 

12 credentials to transparently complete said second sign-on further comprises: 

1 3 computer-readable program code means for substituting said returned user 

1 4 identifier corresponding to said re-located credentials and said returned re-accessed password or 
^15 new password substitute for said placeholders in said subsequent sign-on message, thereby 

1 6 creating a revised subsequent sign-on message; and 

1 7 computer-readable program code means for forwarding said revised subsequent 

18 sign-on message from said server machine to said second sure legacy host application. 

1 Claim 25 (new): The computer program product as claimed in Claim 7, wherein said computer- 

2 readable program code means for processing said subsequent sign-on further comprises: 

3 computer-readable program code means for requesting, by said second secure legacy host 

4 application, subsequent sign-on information for said requester; and 

5 computer-readable program code means for responding to said request for subsequent 

6 sign-on information by supplying, from said server machine to said second secure legacy host 

7 application, said returned user identifier associated with said re-located credentials and said 
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8 returned re-accessed password or new password substitute. 

1 Claim 26 (new): The system as claimed in Claim 10 1 wherein; 

2 said means for processing said subsequent sign-on further comprises: 

3 means for requesting, by said second secure legacy host application, subsequent 

4 sign-on information for said requester; and 

5 means for responding to said request for subsequent sign-on information by 

6 sending a subsequent sign-on message with placeholders from said client machine to said server 

7 machine, said placeholders representing said user identification and said password of said user; 

8 and 

9 said means for using said returned re-accessed password or new password substitute and 

1 0 said returned user identifier corresponding to said re-located credentials to transparently complete 

1 1 said second sign-on further comprises: 

1 2 means for substituting said returned user identifier corresponding to said re-located 

1 3 credentials and said returned re-accessed password or new password substitute for said 

1 4 placeholders in said subsequent sign-on message, thereby creating a revised subsequent sign-on 

15 message; and 

1 6 means for forwarding said revised subsequent sign-on message from said server 

1 7 machine to said second sure legacy host application. 

1 Claim 27 (new): The system as claimed in Claim 14, wherein said means for processing said 

2 subsequent sign-on further comprises: 
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3 means for requestii^, by said second secure legacy tost application, subsequent sign-on 

4 information for said requester; and 

5 means for responding to said request for subsequent sign-on information by supplying, 

6 from said server machine to said second secure legacy host application, said returned user 

7 identifier associated with said re-located credentials and said returned re-accessed password or 

8 new password substitute. 



1 Claim 28 (new): The method as claimed in Claim 1 7 y wherein: 

2 said step of processing said subsequent sign-on farther comprises the steps of: 

3 requesting, by said second secure legacy host application, subsequent sign-on 



in 4 information for said requester; and 

0- 



5 responding to said request for subsequent sign-on information by sending a 

6 subsequent sign-on message with placeholders from said client machine to said server machine,, 

7 said placeholders representing said user identification and said password of said user; and 

8 said step of using said returned re-accessed password or new password substitute and said 

9 returned user identifier corresponding to said re-located credentials to transparently complete said 

1 0 second sign-on further comprises the steps of: 

1 1 substituting said returned user identifier corresponding to said re-located 

12 credentials ami said returned re-accessed password or new password substitute for said 

1 3 placeholders in said subsequent sign-on message, thereby creating a revised subsequent sign-on 

14 message; and 

1 5 forwarding said revised subsequent sign-on message from said server machine to 
Serial No. 09/6 19,205 -25- Docket RSW9-2000-Q035-US1 
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1 6 said second sure legacy host application. 

1 Claim 29 (new): The method as claimed in Claim 21, wherein said step of processing said 

2 subsequent sign-on further comprises the steps of: 

3 requesting, by said second secure legacy host application, subsequent sign-on information 

4 for said requester; and 

5 responding to said request for subsequent sign-on information by supplying, from said 

6 server machine to said second secure legacy host application, said returned user identifier 
1 associated with said re-located credentials and said returned re-accessed password or new 

f\ 8 password substitute. 

(r 

1 Claim 30 (new): A computer-implemented method for enabling an identity to be subsequently 

2 provided during a certificate-based host access session, comprising steps of: 

3 establishing a secure session between a client and a server using a digital certificate owned 

4 by a user of said client; 

5 remembering said digital certificate at said server; 

6 completing a first sign-on to a host application, by said server on behalf of said user, 

7 responsive to receiving an asynchronous sign-on request from said client that identifies said host 

8 application, further comprising the steps of: 

9 using said remembered digital certificate to authenticate said user to a host access 

1 0 security component; 

1 1 if said user is authenticated, locating, by said host access security conqxment. 
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1 2 access credentials of said user, 

1 3 creating, by said host access security component, a passticket that represents said 

14 located access credentials; 

1 5 returning said passticket from said host access security component to said server, 

1 6 along with a user identifier associated with said located access credentials; and 

17 inserting, by said server, said passticket and said user identifier into a log-on 

1 8 message in place of placeholders therefor, when said log-on message is received at said server 

1 9 from said client, thereby creating a revised log-on message that is then sent from said server to 
2 0 sign said user on to said host application; and 

2 1 completing a subsequent sign-on to a second host application, by said server on behalf of 

^22 said user, responsive to receiving a second asynchronous sign-on request from said client that 

J 

23 identifies said second host application, wherein said second host application may be identical to 

24 said host application, further co mpris i n g the steps of: 

2 5 passing said remembered digital certificate from said server to said host access 

2 6 security component for authenticating said user for access to said second host application; 
27 if said user is authenticated for access to said second host application, locating, by 

2 8 said host access security component, second access credentials of said user, wherein said second 

2 9 access credentials may be identical to said located access credentials; 

3 0 creating, by said host access security component, a second passticket that 
3 1 represents said located second access credentials of said user; 

3 2 returning said second passticket from said host access security component to said 

3 3 server, along with a second user identifier associated with said second located access credentials; 
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34 and 

35 insetting said returned second passticket and said returned second user identifier 
a- *\ 36 into a subsequent log-on message that is then sent from said server to sign said user on to said 

(A 

3 7 second host application. 
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